Have you ever endured a project meeting where you spent hours evaluating risks? Afterward, team members walked down the hall saying, “What a waste of time! Now I can get back to the real work.” Today, let’s discuss the use of qualitative risk analysis to get you back on track.

What causes this frustration? First, the evaluation process may not fit the project – too complex for simple projects or deficient for large, complex projects. Second, the process may not fit the maturity level of the project team. Third, team members view the process as burdensome with little value.

Qualitative Risk Analysis

What is Risk Evaluation?

Risk evaluation is the process to determine the significance of each risk. There are two ways to evaluate risks:

1. Qualitative Risk Analysis. Qualitative analysis such as rating probability and impact should always be performed. This allows you to quickly prioritize and rank your risks.
2. Quantitative Risk Analysis. Quantitative analysis is not always performed. This analysis requires more time but provides more data to aid in making decisions. (We will cover quantitative evaluations in another post.)

Why Evaluate/Prioritize Project Risks?

You cannot respond to all risks, neither should you. Prioritization is a way to deal with competing demands. This aids in determining where you will spend your limited time and effort.

We evaluate in order:

•  To have the greatest impact. Eighty percent of the impact will come from twenty percent of the risks. What are the vital few things that we should do that will have the greatest impact on minimizing threats and maximizing opportunities?
•  To respond wisely and appropriately. The goal of evaluating risks is to discriminate between one risk and another. This aids us in determining the amount of effort to invest in developing response plans.
•  To assign resources suitably. Assign your most skilled, knowledgeable resources to the projects with the greatest risk.

 How Do I Perform Qualitative Risk Analysis?

Let’s look at two qualitative risk evaluation methods: 1. the KISS Method, and 2. the Probability/Impact Method.

Be sure to specify your risk analysis technique(s) in your Risk Management Plan as you assess your risks, capture and maintain your Risk Ratings in your Risk Register.

Check with your organization to determine whether there is a definition of risk scales. If not, define the criteria for your scale.

Two Methods for Qualitative Risk Analysis

1. KISS Method

I use the KISS (Keep It Super Simple) Method on smaller projects and with teams that lack maturity in assessing risks. This one-dimensional technique involves rating risks as:

• Very Low
• Low
• Medium
• High
• Very High

This scale allows greater discrimination than the commonly used Low, Medium, and High scale.

2. Probability/Impact Method

I normally use this technique with larger, more complex projects and with teams that have experience with risk assessments.

This two-dimensional technique is used to rate probability and impact. Probability is the likelihood that a risk will occur. The impact is the consequence or effect of the risk, normally associated with impact to schedule, cost, scope, and quality. Rate probability and impact using a scale such as 1 to 10.

Once you have rated each risk, calculate the Risk Score as Probability x Impact. I sort my risks in descending order with the Risk Score as the primary sort.

Program Management

The Probability/Impact Method also helps in programs. I total the risk scores within each project to calculate the Project Risk Score and compare the scores between projects. This helps me understand which projects have the greatest risk exposure and where I need the most skilled people.